Change These Security Settings On Your Router

Change These Security Settings On Your Router
Image: Getty Images

The router sitting in the corner of your office or study is an incredibly complex piece of hardware. While it may have cost as little as $50, it controls the flow of data in, out and around your network over wired and wireless connections. With that complexity, there comes a need to ensure you have everything tweaked so that it’s secure. Here are the essential steps you need to take to make sure your home or small office network is safe to use.

Change the admin password

Whenever you set up a new router, make sure you change the default administrator password.

Many new routers and mesh networking systems prompt you to do this when you set them up. If that’s not the case, go into the router’s settings, either with a web browser or using the device’s mobile app, and update the default administrator password.

While you’re there, also change the default administrator username if you can.

Wireless settings

There are many different settings you can tinker with when it comes to wireless. These are the key settings in my view. The trick is to make your network secure without making it so complex that it’s hard to manage.

Wireless security: Set the encryption type to WPA2 and use a strong password so that you don’t get any unwanted visitors connecting.

MAC address filtering: Every device that can connect to an ethernet network (ethernet is a set of standards that apply to both wired and wireless connections) has a unique identifier called a MAC address. Many routers let you create a white list so only authorised devices can connect. For most homes and small offices, that’s overkill and creates more work if someone brings a new device into the network as you’ll have to add it to the list of authorised devices. While it may make you a little more secure, I’m not convinced it’s worth the extra effort.

Image: Getty Images

Hiding your SSID: Your SSID is the name given to your wireless network. It’s possible to make that name invisible so when people scan for wireless networks, they can’t see yours listed. The value of hiding your SSID for security is limited as even a lowly-skilled attacker can find it as the SSID isn’t encrypted when a device joins a network. And, like MAC address filtering, it adds extra complexity for a negligible benefit.

Guest networks: Modern routers let you create multiple wireless networks by using their different radios. That means you can create a main network that gives users with the right network password access to all the devices you connect such as printers, storage devices and security cameras. The guest network allows people to connect but are segregated from those resources so all they get is internet access. I recommend keeping the guest network disabled unless you need it and only activating it with a strong password.

Keep your firmware up to date

A router is basically a specialised computer with multiple network connections. And, like any computer, it relies on software.

Most routers will automatically check for firmware updates and many will install them without any intervention during scheduled times. For example, you can have your router check for updates every week and perform updates at 2AM on Sunday.

Turn off remote administration

Many routers disable remote administration (also known as remote management or enable web access from WAN) by default. Remote administration gives access to your router’s control panel from outside your home network — so you can see why that would be a problem. Find the setting and ensure it’s disabled.

This article has been updated since its original publication.


  • Add to wireless – Disable WPS (the button/key to connect easily). This function is broken and extremely insecure. Luckily most wireless routers allow you to disable the ‘feature’.

    • No, only WPS PIN is broken. The button feature only works when someone presses the button (though the key is then transmitted in clear at that instant).
      The reason PIN is broken is that it’s broken into 2 parts of known length. A 4 digit number only has 10000 combinations, and the remaining 4 digits include a checksum, so only 1000 combinations. And they can be tested separately because the protocol tells the client which part was wrong.

  • Mac filtering is useless. Almost all wireless adapters ever made have allowed for MAC address spoofing. The MAC of a genuine client is easily obtained from traffic if you’ve gotten far enough into the network to be blocked by MAC filtering.

    Hidden SSID just causes confusion for users with zero security benefit (Kismet will see it anyway), and also makes your client device constantly announce itself while away from the network… This could be a bigger security risk than having your SSID broadcast.

    And with remote admin… Remember to disable TR-069 too. You don’t want your ISP or someone else to edit your now secure settings, or worse – upload malicious firmware.

Show more comments

Log in to comment on this story!